forked from security/wiki
1 line
3.4 KiB
JSON
1 line
3.4 KiB
JSON
{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"","title":"SIG/Security Wiki","text":"<p>The Security SIG repositories provide extra security-related packages and security-hardened override packages (replacing those from the main distribution) for Rocky Linux and other Enterprise Linux (EL) distributions.</p>"},{"location":"#responsibilities","title":"Responsibilities","text":"<p>Developing and maintaining various security related packages that are not in upstream EL. Identifying, developing, and maintaining security hardening changes relative to upstream EL packages. Occasionally including/backporting additional security fixes that are not yet in upstream EL packages. Contributing to the respective upstreams where practical.</p>"},{"location":"#repo-installation","title":"Repo Installation","text":"<pre><code>dnf install rocky-release-security\n</code></pre>"},{"location":"#packages","title":"Packages","text":""},{"location":"#extra-packages-for-el8-and-el9","title":"Extra packages (for EL8 and EL9)","text":"<ul> <li>lkrg (Linux Kernel Runtime Guard)</li> <li>passwdqc (Password/passphrase strength checking and policy enforcement)</li> </ul>"},{"location":"#override-packages-currently-only-for-el9","title":"Override packages (currently only for EL9)","text":"<ul> <li>glibc (adds many security-hardening changes originating from Owl and ALT Linux on top of EL package)</li> <li>openssh (fewer shared libraries exposed in sshd processes while otherwise fully matching EL package's functionality)</li> </ul> <p>The changes are described in more detail in the package changelogs. More packages/changes are planned, including override packages also for EL8.</p>"},{"location":"#known-effective-vulnerability-mitigations-and-fixes","title":"Known-effective vulnerability mitigations and fixes","text":"<p><code>glibc-2.34-60.el9_2.security.0.2</code> (specifically the <code>.0.2</code> version!) includes mitigations sufficient to avoid security exposure of CVE-2023-4911 and a backport of upstream glibc fix of CVE-2023-4527 that was not yet in upstream EL.</p> <p>The inclusion of additional security fixes will be \"reverted\" if and when those get included in upstream EL packages that we rebase our changes on.</p>"},{"location":"#source-code","title":"Source code","text":"<p>Just like for other Rocky Linux SIGs, the source trees for Security SIG packages are maintained in per-package git repositories. Each repository contains branches <code>r8</code> and/or <code>r9</code> corresponding to target EL version.</p>"},{"location":"#contributing","title":"Contributing","text":"<p>If anyone else wants to join this effort - in any capacity including development, maintenance, testing, documentation, user support, spreading the word, or something else - please join the Mattermost channel below and let us know!</p> <p>We also welcome well-reasoned suggestions/feedback/preferences on direction we should take (e.g., only making changes on top of EL's vs. offering newer upstream versions), what else to package, and what other changes to include.</p>"},{"location":"#meetings-communications","title":"Meetings / Communications","text":"<p>We hang out in our Security Mattermost channel.</p>"},{"location":"#members","title":"Members","text":"<p>Some of the people particularly active with setting up this SIG so far:</p> Name Mattermost Name Neil Hanlon @neil Scott Shinn @atomicturtle Solar Designer @solardiz"}]} |